-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathMissingRegexpAnchor.qhelp
More file actions
60 lines (55 loc) · 2.29 KB
/
MissingRegexpAnchor.qhelp
File metadata and controls
60 lines (55 loc) · 2.29 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
Sanitizing untrusted input with regular expressions is a common technique. However, it is
error-prone to match untrusted input against regular expressions without anchors such as
<code>^</code> or <code>$</code>. Malicious input can bypass such security checks by embedding
one of the allowed patterns in an unexpected location.
</p>
<p>
Even if the matching is not done in a security-critical context, it may still cause undesirable
behavior when the regular expression accidentally matches.
</p>
</overview>
<recommendation>
<p>
Use anchors to ensure that regular expressions match at the expected locations.
</p>
</recommendation>
<example>
<p>
The following example code checks that a URL redirection will reach the <code>example.com</code>
domain, or one of its subdomains, and not some malicious site.
</p>
<sample src="MissingRegexpAnchor.go"/>
<p>
The check with the regular expression match is, however, easy to bypass. For example, the string
<code>http://example.com/</code> can be embedded in the query string component:
<code>http://evil-example.net/?x=http://example.com/</code>.
</p>
<p>
Address these shortcomings by using anchors in the regular expression instead:
</p>
<sample src="MissingRegexpAnchorGood.go"/>
<p>
A related mistake is to write a regular expression with multiple alternatives, but to only anchor
one of the alternatives. As an example, the regular expression
<code>^www\.example\.com|beta\.example\.com</code> will match the host
<code>evil.beta.example.com</code> because the regular expression is parsed as
<code>(^www\.example\.com)|(beta\.example\.com)/</code>, so the second alternative
<code>beta\.example\.com</code> is not anchored at the beginning of the string.
</p>
<p>
When checking for a domain name that may have subdomains, it is important to anchor the regular expression
or ensure that the domain name is prefixed with a dot.
</p>
<sample src="MissingRegexpAnchorGoodDomain.go"/>
</example>
<references>
<li>OWASP: <a href="https://www.owasp.org/index.php/Server_Side_Request_Forgery">SSRF</a></li>
<li>OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html">Unvalidated Redirects and Forwards Cheat Sheet</a>.</li>
</references>
</qhelp>